]> Git — Sourcephile - sourcephile-nix.git/blob - hosts/losurdo/nginx.nix
nix: update input secrets
[sourcephile-nix.git] / hosts / losurdo / nginx.nix
1 { pkgs, lib, config, hostName, ... }:
2 let
3 inherit (config) networking;
4 inherit (config.services) nginx;
5 in
6 {
7 imports = [
8 ../../nixos/profiles/services/nginx.nix
9 nginx/sourcephile.fr.nix
10 ];
11 users.groups."acme".members = [nginx.user];
12 users.groups."keys".members = [nginx.user];
13 users.groups."transmission".members = [nginx.user];
14 networking.nftables.ruleset = ''
15 table inet filter {
16 chain input-net {
17 tcp dport { http, https } counter accept comment "HTTP(S)"
18 }
19 }
20 '';
21 fileSystems."/var/lib/nginx" = {
22 device = "${hostName}/var/www";
23 fsType = "zfs";
24 };
25 services.upnpc.redirections = [
26 { description = "HTTP"; externalPort = 80; protocol = "TCP"; duration = 30 * 60;
27 service.wantedBy = ["nginx.service"];
28 service.partOf = ["nginx.service"];
29 }
30 { description = "HTTPS"; externalPort = 443; protocol = "TCP"; duration = 30 * 60;
31 service.wantedBy = ["nginx.service"];
32 service.partOf = ["nginx.service"];
33 }
34 ];
35 services.nginx = {
36 enable = true;
37 package = pkgs.nginx.override {
38 modules = with pkgs.nginxModules; [
39 fancyindex
40 ];
41 };
42 resolver = {
43 addresses = [ "127.0.0.1:53" ];
44 valid = "";
45 };
46 virtualHosts."_" = {
47 default = true;
48 extraConfig = ''
49 # Connection closed without response
50 return 444;
51 '';
52 forceSSL = true;
53 useACMEHost = networking.domain;
54 };
55 };
56 }